By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

according to results from the Ernst & Young Global Information Security Survey 2004.

Survey results show that people at the highest management levels don't receive adequate, security-related information for making prudent decisions and need to engage more in decision-making communications.

While organizations are dependent on various outside providers (i.e., outsourcing firms) to handle information processing, less than one-third of the respondents say they review an outside firm's compliance with their organization's information security policies. Without such audited compliance checking, risk assessments and related status reports, top managers can't know what's happening -- and most assuredly, won't effectively deal with information security problems.

Information security policy tasks routinely get postponed, and in some cases are ignored by top managers who don't have the background to effectively analyze policy documents, which impacts the quality of their organizational guidance. Most top managers can't properly evaluate these policies, which need approval or modification, and they don't know the questions to ask in order to get informed. Information security is far too important for top management to act as a rubber-stamping service.

The survey results specifically reflect poor information security guidance coming from the top-tier, with only 28% of those managers at the responding firms citing goals to heighten their staff's security awareness level in the upcoming year. This low percentage is surprising, given that survey results also identify "raising the level of information security awareness" as the number one obstacle to improving information security.

While top managers may lack adequate decision-making information, too many workers still subscribe to the "not my problem" perspective about information security. They rationalize their lack of personal involvement with statements like "when top management tells me to do something about information security, then I'll pay attention to it." Workers fail to tell top managers about pressing, and needed security improvements, which contributes to a vicious cycle of ignorance, non-involvement and irresponsibility.

How can organizations break this cycle? The first step is to establish an infrastructure that supports, encourages and requires adequate communication about information security from the top down and bottom up. This can be structured through information security policies used in conjunction with detailed job descriptions and specific information security procedures. Policies and procedures should require top managers to define and communicate an overall strategy, assign responsibility for information security and engage in discussions about appropriate policies. Policies should require internal audits and periodic risk assessments for all information services. They should call for organization-wide information security status reports and compliance reports on laws and regulations (such as Sarbanes-Oxley). They should require incident handling reports and analysis about the adequacy of existing information systems controls.

Such an infrastructure involves many components, which could be mutually reinforcing. For example, a communications infrastructure could include multiple pathways so that important information is more likely to reach top management. This might involve an anonymous voicemail hotline for reports on security vulnerabilities and incidents. Such a hotline could provide an escape valve for channeling important, time-sensitive information, which would otherwise get the reporting individual into trouble with a mid-level manager. Likewise, periodic reports issued to a board of directors' audit committee would ensure that important information gets passed up. This could eliminate the middle management information blocking through other channels, which often occurs out of fear that it might make a person or department look bad.

About the author Charles Cresson Wood, CISSP, CISA, CISM, is an independent information security consultant based in Sausalito, Calif. He specializes in the development of information security documents including policies, standards, procedures and job descriptions. He is also the author of the book and CD-ROM entitled Information Security Policies Made Easy.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy